Transcription

1 114 th Congress March, 2015 Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS On January 13, 2015, the Administration wrote a letter to Congress urging action on the following three priorities: 1) enhancing cyber threat information sharing within the private sector and between the private sector and the Federal Government; 2) protecting individuals by requiring businesses to notify consumers if personal information is compromised; and 3) strengthening and clarifying the ability of law enforcement to investigate and prosecute cybercrimes. The FY2016 Budget provides $14 billion to support cybersecurity efforts. 1. Updated Department of Homeland Security Cybersecurity Authority and Information Sharing A. The Administration proposes to update the Department of Homeland Security Cybersecurity Authority and information sharing by codifying mechanisms for enabling cybersecurity information between private and government entities, as well as among private entities, to better protect information systems and more effectively respond to cybersecurity incidents. 2. Updated Law Enforcement Provisions Related to Computer Security. The major changes are as follows: A. Prosecuting Organized Crime Groups That Utilize Cyber Attacks. This change adds offenses under the Computer Fraud and Abuse Act (18 U.S.C. 1030) to the list of racketeering activities in the Racketeering Influenced and Corrupt Organizations Act (RICO at 18 U.S.C. 1961(1)). This change would increase certain penalties and make it easier to prosecute organized criminal groups that engage in computer network and similar attacks. B. Deterring the Development and Sale of Computer and Cell Phone Spying Devices. These provisions provide additional tools to address violations of 18 U.S.C. 2512, which criminalizes the sale, distribution, and advertising of surreptitious interception devices. C. Modernizing the Computer Fraud and Abuse Act. This updates and clarifies several provisions of the Computer 1

2 Fraud and Abuse Act (18 U.S.C. 1030) to enhance effectiveness against attacks on computers and computer networks, including those by insiders. D. Ensuring Authority for Courts to Shut Down Botnets. This proposal would empower courts to issue injunctions to disrupt or shut down botnets. The amendment would also create liability protection for companies that act in compliance with court orders under the section, and allow courts to order reimbursement where companies incur reasonably necessary compliance costs. II. BILLS INTRODUCED IN ONE CHAMBER 1. HOUSE A. H.R. 60 Cyber Defense National Guard Act Sponsor: Rep Jackson Lee, Sheila [TX-18] (introduced 1/6/2015) Latest Major Action: 1/6/2015 Referred to the House Committee on Intelligence (Permanent Select). 0 cosponsors Requires the Director of National Intelligence to report to Congress regarding the feasibility of establishing a Cyber Defense National Guard. Requires the report to address: (1) the number of persons who would be needed to defend the critical infrastructure of the United States from a cyber-attack or man-made intentional or unintentional catastrophic incident; (2) elements of the federal government that would be best equipped to recruit, train, and manage such a National Guard; (3) resources that can be pre-positioned and training that can be instilled to assure responsiveness if an incident disrupts communications in a region or area; (4) logistics of allowing governors to use such a National Guard in states during times of cyber emergency; and (5) whether a force trained to defend U.S. networks in a major attack or natural or man-made disaster will benefit overall efforts to defend the interests of the United States. B. H.R. 53 Cyber Security Education and Federal Workforce Enhancement Act Sponsor: Rep. Jackson Lee, Sheila [TX-18] (introduced 1/6/2015) Latest Major Action: 1/23/2015 Referred to House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. 0 cosponsors Amends the Homeland Security Act of 2002 to establish within the Department of Homeland Security (DHS) an Office of Cybersecurity Education and Awareness Branch to make recommendations to DHS regarding: (1) recruitment of information assurance, cybersecurity, and 2

3 computer security professionals; (2) grants, training programs, and other support for kindergarten through grade 12, secondary, and post-secondary computer security education programs; (3) guest lecturer programs in which professional computer security experts lecture computer science students at institutions of higher education; (4) youth training programs for students to work in part-time or summer positions at federal agencies; and (5) programs to support underrepresented minorities in computer security fields with programs at minority-serving institutions, including historically black colleges and universities, Hispanic-serving institutions, native American colleges, Asian-American institutions, and rural colleges and universities. Requires the NSF to report to Congress regarding the causes of the high dropout rates of women and minority students enrolled in science, technology, engineering, and mathematics programs. C. H.R. 104 Cyber Privacy Fortification Act (2015) Sponsored: Rep. Conyers, John, Jr. [MI-13] (Introduced 1/6/2015) Latest Action: 1/22/2015 Referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations. 1 cosponsor Amends the federal criminal code to provide criminal penalties for intentional failures to provide required notices of a security breach involving sensitive personally identifiable information and requires those with knowledge of a major security breach to provide prompt notice to the U.S. Secret Service or the Federal Bureau of Investigation. D. H.R. 283 Electronic Communications Privacy Act Amendments Act of 2015 Sponsor: Rep. Salmon, Matt [AZ-5] (Introduced 1/12/2015) Latest Action: 2/2/2015- Referred to the Subcommittee on Crime, Terrorism, Homeland Security and Investigations This legislation states that a provider of remote computing service or electronic communication service to the public shall not knowingly divulge to any governmental entity the contents of certain communications without a warrant. E. H.R. 234 Cyber Intelligence Sharing and Protection Act Sponsor: Rep. Dutch Ruppersberger [D-MD-2] Latest Action: 2/2/2015- Referred to the Subcommittee on the Constitution and Civil Justice 3

4 Directs the federal government to provide for real-time sharing of cyber threat information between all designated federal cyber operations centers and requires the Director of National Intelligence (DNI) to allow the intelligence community to share cyber threat intelligence with privatesector entities and utilities possessing appropriate certifications or security clearances. Directs DHS, the Attorney General, the DNI, and the Department of Defense to establish procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the federal government and sets forth requirements for the use and protection of shared information. Provides civil and criminal liability protections to cybersecurity providers, contracting entities, and self-protected entities acting in good faith to obtain or share threat information or to safeguard systems from threats and allows the federal government to use shared cyber threat information to deter attacks and investigate criminal activity. F. Draft of Data Security and Breach Notification Act of 2015 Sponsors: Rep. Peter Welch [D-VT], Rep. Marsha Blackburn [R-Tenn.]. : To require certain entities who collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security involving such information, and for other purposes. The new legislation would hold companies to a new national digital security standard that the authors claim is flexible enough not to restrain companies. It would also require that companies who have been breached notify people whose data may have been stolen within 30 days, unless there isn t a reasonable risk of identity theft of financial harm. HR 1560 (Nunes, R-CA), Protecting Cyber Networks Act, to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats; to Intelligence (Permanent Select). 8 cosponsors HR 1704 (Langevin, D-RI), to establish a nation data breach notification standard; to Energy and Commerce, and Judiciary. 2. SENATE S. 177 Data Security and Breach Notification Act of

5 Sponsor: Sen. Nelson, Bill [FL] (Introduced 1/13/2015) Latest Action: 1/13/2015 Read twice and referred to the Committee on Commerce, Science, and Transportation. 0 cosponsors Protects consumers by requiring reasonable security policies and procedures to protect data containing personal information, and provides for nationwide notice in the event of a breach. CISA The Senate Intelligence Committee passed the Cybersecurity Information Sharing Act on March 12, 2015 by a vote of Senator Wyden objected citing privacy concerns. The legislation would help facilitate information sharing between and among the public and private sectors. Senator Tom Carper (D-DE), ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Cyber Threat Sharing Act of 2015, which incorporates many of President Obama s legislative proposals. S. 456 S 754 (Burr, R-NC), to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats; from the Select Committee on Intelligence. III. IV. SECURITY BREACH NOTIFCATION LAWS 1. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. BARRIERS TO LEGISLATION 1. On January 27, the Subcommittee on Research and Technology, of the House Science, Space and Technology Committee, held a hearing to discuss national data breach notification laws. On February 4, the Senate Committee on Commerce, Science, & Transportation, held a hearing to examine private sector experience with the NIST Framework. Although there seems to be much bipartisan support, some lawmakers fear that there are still major barriers to reform. Three major barriers arose during the hearings: A. Winning support for pre-emption, in which a federal law would supersede all or parts of the 47 state data breach notification statutes; B. Deciding whether evidence of harm to breach victims is needed before requiring companies to notify consumers, and defining the type of harm that would trigger notification; and C. Defining personally identifiable information that, if breached, would trigger notification. 5

6 V. Creation of Cyber Threat Intelligence Integration Center (CTIIC) On February 25, 2015, President Obama directed the Director of National Intelligence to establish the Cyber Threat Intelligence Integration Center. The CTIIC will provide integrated all-source intelligence analysis related to foreign cyber threats and cyber incidents affecting U.S. national interests; support the U.S. government centers responsible for cybersecurity and network defense; and facilitate and support efforts by the government to counter foreign cyber threats. Once established, the CTIIC will join the National Cybersecurity and Communications Integration Center (NCCIC), the National Cyber Investigative Joint Task Force (NCIJTF), and U.S. Cyber Command as integral parts of the United States Government s capability to protect our citizens, our companies, and our Nation from cyber threats. 1 The CTIIC will not be an operational center but will collect intelligence to assist other agencies like the NCCIC and the NCIJTF as they carry out their cybersecurity missions. No destination for the center has been established yet, but there current plan is to have the center located in metro Washington, DC. HR 1918 (Lofgren, D-CA), to amend Title 18, United States Code, to provide for clarification as to the meaning of access without authorization in regard to computer crime; to Judiciary. CR 4/21/15, H2354. S 1027 (Kirk, R-IL), to require notification of information security breaches and to enhance penalties for cyber criminals; to Commerce, Science, and Transportation. CR 4/21/15, S2300. S 1030 (Wyden, D-OR), to amend Title 18, United States Code, to provide for clarification as to the meaning of access without authorization in regard to computer crime; to Judiciary. CR 4/21/15, S

When Can We Expect a Federal Data Breach Notification Law? The Trials and Tribulations of Getting a DBN Bill through Congress. Alexi Madon Director of State Government Affairs, Midwest Cybersecurity Overview

FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly

SECTION-BY-SECTION Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. Section 2. Definitions. Section 2 defines terms including commercial information technology product,

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

Safeguards for privacy and civil liberties Preservation of longstanding, respective roles and missions of civilian and sharing with targeted liability Why it matters The White House has pledged to veto

FINAL // FOR OFFICIAL USE ONLY William Noonan Deputy Special Agent in Charge United States Secret Service Criminal Investigative Division Cyber Operations Branch Prepared Testimony Before the United States

TH CONGRESS ST SESSION S. ll To codify mechanisms for enabling cybersecurity threat indicator sharing between private and government entities, as well as among private entities, to better protect information

H. R. 2029 694 DIVISION N CYBERSECURITY ACT OF 2015 SEC. 1. SHORT TITLE; TABLE OF CONTENTS. (a) SHORT TITLE. This division may be cited as the Cybersecurity Act of 2015. (b) TABLE OF CONTENTS. The table

BAG15121 Discussion Draft S.L.C. 114TH CONGRESS 1ST SESSION S. XXXX To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist July 18, 2013 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research

US Legislative Agenda Over 35 pieces of legislation have been introduced in 111th Congress, addressing Cybersecurity, addressing among other things: Organizational Responsibilities Compliance and Accountability

H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.

U:\0REPT\OMNI\FinalOmni\CPRT--HPRT-RU00-SAHR0-AMNT.xml DIVISION N CYBERSECURITY ACT OF 0 SEC.. SHORT TITLE; TABLE OF CONTENTS. (a) SHORT TITLE. This division may be cited as the Cybersecurity Act of 0.

Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist July 11, 2013 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research

Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

F:\PKB\INT\CYBER\CYBER_00.XML TH CONGRESS ST SESSION... (Original Signature of Member) H. R. ll To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity

BAG0 Discussion Draft S.L.C. TH CONGRESS D SESSION S. ll To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. IN THE

BAG Discussion Draft S.L.C. TH CONGRESS ST SESSION S. ll To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. IN THE

Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist April 17, 2013 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research

OLL0 TH CONGRESS ST SESSION S. ll To secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American

April 17, 2015 The Honorable John Boehner The Honorable Nancy Pelosi Speaker of the House Democratic Leader United States House of Representatives United States House of Representatives H-232, U.S. Capitol

TH CONGRESS D SESSION S. 1 AN ACT To codify an existing operations center for cybersecurity. 1 Be it enacted by the Senate and House of Representa- tives of the United States of America in Congress assembled,

Written Testimony of Ravi Pendse, Ph.D. Vice President and Chief Information Officer Brown University Cisco Fellow Professor of Practice, Computer Science and Engineering Before the U.S. Senate Committee

The Department of Homeland Security The Department of Justice to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information

Privacy & Cybersecurity Update January 14, 2015 Learn More If you have any questions regarding the matters discussed in this memorandum, please contact the attorneys listed on Page 5, or your regular Skadden

S. 2519 One Hundred Thirteenth Congress of the United States of America AT THE SECOND SESSION Begun held at the City of Washington on Friday, the third day of January, two thous fourteen An Act To codify

PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION Before the OHIO PRIVACY and PUBLIC RECORDS ACCESS STUDY COMMITTEE of the OHIO SENATE and HOUSE OF REPRESENTATIVES on Public Entities, Personal Information,

April 4, 2012 Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills The chart below compares on civil liberties grounds four bills that seek to promote

TH CONGRESS 1ST SESSION S. AN ACT To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. 1 Be it enacted by the Senate

WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you

CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR July 28, 2015 The Senate is expected to consider the Cybersecurity Information Sharing Act (CISA, S. 754 1 ) on the Senate floor soon. The bill was marked

COMMITTEE OF EXPERTS ON TERRORISM (CODEXTER) CYBERTERRORISM THE USE OF THE INTERNET FOR TERRORIST PURPOSES UNITED STATES OF AMERICA September 2007 Kapitel 1 www.coe.int/gmt The responses provided below

Cyber Security Laws and Policy Implications of these Laws In an age where so many businesses and systems are reliant on computer systems, there is a large incentive for maintaining the security of their

Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

APPENDIX: OVERVIEW OF PUBLIC INTEREST WORK Public interest work is done in a wide variety of practice settings. Lawyers also use different advocacy approaches. Finally, different organizations focus on

Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist March 20, 2013 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research

TITLE 28 - JUDICIARY AND JUDICIAL PROCEDURE PART II - DEPARTMENT OF JUSTICE CHAPTER 33 - FEDERAL BUREAU OF INVESTIGATION 532. Director of the Federal Bureau of Investigation The Attorney General may appoint

This document is scheduled to be published in the Federal Register on 02/11/2016 and available online at http://federalregister.gov/a/2016-02788, and on FDsys.gov Billing Code: 5001-06 DEPARTMENT OF DEFENSE

Executive Order: In the President s State of the Union Address on February 12, 2013, he announced an Executive Order Improving Critical Infrastructure Cybersecurity (EO) to strengthen US cyber defenses

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses

STATEMENT OF JOSEPH DEMAREST ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION BEFORE THE HOMELAND SECURITY COMMITTEE SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE AND SUBCOMITTEE ON

Ambassador Daniel A. Sepulveda Remarks on the U.S. Privacy Framework and Signals Intelligence Reforms November 3, 2015 Digital Europe Brussels, Belgium Thank you for the opportunity to join you here today.

Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in the United States Introduction When it comes to Personally Identifiable Information (PII), privacy laws and regulations

An Overview of Cybersecurity and Cybercrime in Taiwan I. Introduction To strengthen Taiwan's capability to deal with information and communication security issues, the National Information and Communication

Corporate Spying An Overview With the boom in informational and technological advancements in recent years, there comes the good and the bad the bad being more susceptibility to the theft of confidential

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106